CVE-2025-2160

Name

Reflected Cross-Site Scripting

CVSS score

8.1 (High)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Product name

Pega Platform

Confirmed exploitable versions

8.4.3 to Infinity 24.2.1

Researcher

Kacper Paluch, Maciej Włodarczyk, Jakub Sajniak

Description

Reflected Cross-Site Scripting vulnerability exists in the Pega Infinity Platform version 8.4.3 to 24.2.1. A specially crafted URL can trigger XSS attack. Successful attack requires victim interaction (clicking on the malicious link) and can result in modifying or exfiltrating data from the affected application.
Special thanks to Jakub Sajniak for their insights on identifying XSS vulnerabilities in the Pega Platform.

Proof-of-concept

PoC: TBA

Timeline

17-12-2024 - Vulnerability reported to vendor
14-04-2025 - Security advisory is published by the vendor

References

https://support.pega.com/support-doc/pega-security-advisory-d25-vulnerability-remediation-note
https://www.cve.org/CVERecord?id=CVE-2025-2160